Skip to main content

Material Icons EUVDEUVD-2026-15465

| CVE-2026-3210 MEDIUM
Incorrect Authorization (CWE-863)
2026-03-25 drupal
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 15:46 euvd
EUVD-2026-15465
Analysis Generated
Mar 25, 2026 - 15:46 vuln.today
CVE Published
Mar 25, 2026 - 15:21 nvd
MEDIUM 5.3

DescriptionCVE.org

Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.

AnalysisAI

An incorrect authorization vulnerability exists in the Drupal Material Icons module that allows attackers to bypass authentication controls and access restricted resources through forceful browsing (CWE-863). The vulnerability affects Material Icons versions 0.0.0 through 2.0.3, enabling unauthenticated or low-privileged users to enumerate and access icon resources that should be restricted. No CVSS score, EPSS data, or known exploits in the wild have been disclosed at this time, but the vulnerability has been formally documented by the Drupal security team with a dedicated security advisory.

Technical ContextAI

The Material Icons module for Drupal (CPE: cpe:2.3:a:drupal:material_icons:*:*:*:*:*:*:*:*) is a Drupal contrib module that provides Material Design icon resources for use in Drupal applications. The root cause is classified under CWE-863 (Incorrect Authorization), indicating that the module fails to properly enforce access control checks on icon resources or endpoints. Rather than implementing proper permission-based access controls or role-based restrictions, the module likely relies on obscurity or missing authorization logic, allowing attackers to bypass authentication via direct URL access (forceful browsing). This is a classic authorization bypass rather than an authentication bypass, meaning authenticated sessions may still access resources they should not, or unauthenticated users can access resources entirely.

RemediationAI

Upgrade the Drupal Material Icons module to version 2.0.4 or later immediately. This patch release directly addresses the authorization bypass vulnerability. Site administrators should apply the update through Drupal's admin interface (Admin > Extend > Update) or via Composer with the command 'composer update drupal/material_icons'. As an interim workaround pending patching, enforce restrictive access controls at the web server or reverse proxy level to limit access to icon endpoints to authenticated users only, and review server logs for suspicious direct requests to icon resources. Refer to the official advisory at https://www.drupal.org/sa-contrib-2026-011 for any additional security guidance from the Drupal maintainers.

Share

EUVD-2026-15465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy